Back in mid-April at a Little Rock, Ark. Kmart pharmacy, about 788 customers’ prescription information was compromised when thieves took backup that included patient prescriptions, names, addresses and prescriptions. While the Kmart data breach was by no means unique, how the large organization’s incident could have been prevented from a technical perspective is worth assessing.
Sol Cates, the Chief Security Officer (CSO) at Vormetric, spoke with HealthITSecurity.com about how the patient data could have been better protected. As a security vendor that focuses on database and backup encryption with healthcare customers such as large pharmacy chains, providing technical solutions that keep customers HIPAA compliant is a must for the company.
Cates said that healthcare organizations and big corporations such as Kmart often aren’t encrypting the data because they’re so focused on the perimeter, not the data itself. He maintains that three reasons people adopt any kind of encryption, which is best used at media or system-level for applications, are HIPAA compliance, reacting to a breach or preparing for one and when there’s pressure to enter into business associate agreements (BAAs).
Regardless of where Kmart fits among those three reasons (perhaps all three), the backup disk’s sensitive data being in the physical control of the manager was the first mistake Kmart made. But not encrypting the backup disk before it was backed up intensified the problem.
Making sure data is encrypted before it hits the backup because one thing we’ve seen is organizations may adopt disk encryption for example, but a lot of your database backups are left in the dirt. That was the easiest control they could’ve put in place for physical protection.
The issue of key management
Data encryption isn’t one-size-fits all and healthcare organizations obviously don’t just plug it into their systems and forget about it. Ancillary factors such as key management create problems for organizations such as Kmart because maintaining and securing encryption keys can be cumbersome in large volume.
Every time a large enterprise hears encryption, they think key management nightmares. They’ve all been burned in the past, and key management and point solutions are problems as well. If you have three different ways of doing encryption, you have three different key management (key expiration and rotation) solutions and interfaces and management procedures.
Healthcare organizations move their risks to the key when using encryption and the key from there would be figuring out how to make those keys available and secure them. Cates’ comments echo just one observer’s point of view, but hearing how Kmart could have been more technically prepared is interesting.